Please read: Security Issue on AMO

NOTE: Further investigation has revealed that all versions of Sothink Web Video Downloader are malware free. For more, read our update.

Issue

Two experimental add-ons, Version 4.0 of Sothink Web Video Downloader and all versions of Master Filer were found to contain Trojan code aimed at Windows users. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen, and Master Filer contained Win32.Bifrose.32.Bifrose Trojan. Both add-ons have been disabled on AMO.

Impact to users

If a user installs one of these infected add-ons, the trojan would be executed when Firefox starts and the host computer would be infected by the trojan. Uninstalling these add-ons does not remove the trojan from a user’s system. Users with either of these add-ons should uninstall them immediately. Since uninstalling these extensions does not remove the trojan from a user’s system, an antivirus program should be used to scan and remove any infections.

Status

This vulnerability is known to affect Firefox on Windows only, if either Master Filer or Version 4.0 of Sothink Web Video Downloader are installed. Versions of Sothink Web Video Downloader greater than 4.0 are not infected. Master Filer was downloaded approximately 600 times between September 2009 and January 2010. Version 4.0 of Sothink Web Video Downloader was downloaded approximately 4,000 times between February 2008 and May 2008. Master Filer was removed from AMO on January 25, 2010 and Version 4.0 of Sothink Web Video Downloader was removed from AMO on February 2, 2010. AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.

Credit

This issue was originally reported by CatThief.

Antivirus Software

Here is a list of antivirus programs known to detect the trojans found in the affected add-ons.

“AMO performs a malware check on all add-ons uploaded to the site, and blocks add-ons that are detected as such. This scanning tool failed to detect the Trojan in Master Filer. Two additional malware detection tools have been added to the validation chain and all add-ons were rescanned, which revealed the additional Trojan in Version 4.0 of Sothink Web Video Downloader. No other instances of malware have been discovered.”

ftofficer’s question is very legimate. No matter whether AMO has 0, 100 or 10,000 security checks, apparently it was possible to get viruses uploaded. That’s what matters to us, the users. In essence, it doesn’t seem to have changed, since the only thing that has increased is the number of checks, which apparently are not watertight.
It is not right to argue “see how good their security is, they even find viruses in the addons that are online”. That should have never happened.

@Pino: our malware checks are as good as malware detection tools allow them to be. We made the mistake of having a single check, and now we’ve expanded it to 3, and probably more in the near future.
Your expectation of it “never happening” is equivalent to expecting an antivirus tool to immediately detected every single form of malware in existence. That has never been the case.

We already knew security which depends on blacklists isn’t reliable. What else can AMO do to prevent this from happening again? How else can we be protected from rogue Windows executables embedded in extensions? Any ideas? (I’m sure AMO has already thought about this a lot. I’m interested in hearing what they’ve come up with.)

@dan – given that the Mozilla distributes the OS X version as well, the Mac version “has the same vulnerabilities”; that is, if someone managed to sneak malware into a Mac-specific extension which wasn’t caught, it could be distributed and infect Macs running FF. Unless the payload had some way to elevate its privileges, the amount of harm it could do would be limited, though, and the pool of Mac-infecting malware is many orders of magnitude smaller than the Win32 world’s…

For 2 seconds wile i was reading this issue, I was scared that it affects also my system… then I woke up and realised that i was using Ubuntu Linux… Thank God I use Linux for my day-to-day computing !!

@Dan and @Toby: The Mac version does NOT have the same vulnerabilities. (Please see the first sentence in the third paragraph in the above article.) OS X file permissions and root user would not allow an infection like this to affect the whole computer.

Is this only with Sothink downloader v4 or all their addons? The latest version from them is v5.6, and how do we know it is actually uploaded by the company and not someone else pretended to be the official addon.

This post is quite disappointing. It is not a surprise malicious code can get through how many checks you want. The two crucial questions are left unanswered:
– Was it a deliberate or accidental infection (from the extension’s author)?
– What measures are you going to take?

This is not only a Windows problem. Mac and Linux could also be infected, even though it would be limited to user’s space.

Security based on a blacklist is not reliable. Are you going to continue with just a larger blacklist, or are you going to find another way? Are you at last going to forbid any precompiled binary code to be uploaded to AMO? I’d be much more confident with that.

In May 2008, you found a virus in an vietnamese lang pack. It has also sneaked through the virus checker, because the checker didn’t know about the virus at the time of upload, but did know about it later. You said back then that you’d change your processes to run a virus checker *daily*. This is important, because new viruses get discovered all the time, and virus vendors need some time to add checks for them, so even if you don’t get a hit at time of upload, you may still get a hit 5 days later, even with the same virus checker, assuming you update your virus checker signature files daily.

So, please run all the virus checkers on all the addons *daily*, esp. the DLL parts. You promised to do that, but apparently failed to do so.

Also, I recommend AVG http://free.avg.com/ . Although it’s free, it’s one of the best, per c’t magazine tests.

> How else can we be protected from rogue Windows
> executables embedded in extensions?”

Require source code (under Open Source licences) for all addons and compile them yourself.

“Mac … Unless the payload had some way to elevate its privileges”
“OS X file permissions and root user would not allow an infection like this to affect the whole computer.”

While true, that’s meaningless: The important thing is your data and *all* executables you run, including FF addons, can get to that, and to my knowledge also record your keypresses (passwords etc.), so root doesn’t provide any protection for *you*, only for potential (but unlikely) other users on the same machine.

I’m wondering how much “secure” are the rest of the addons ?
And who can verify that ?
What if it was not a complete well “known” trojan ? Who can really confirm that the addons I’m running are not stealing any personal data, or performing suspicous operations, or probably opening some backdoors ?

If a trojan can make its way that easy into a computer running firefox, I dont see any reason why my gmail password cant be stolen easier with a “cool” addon.

Is possible for some companies to donate the proper licenses and software to Mozilla, allowing them to make stronger checks?. Possibly a link with to tool used and information about the malware/virus detected should be useful for those companies too.

Other system like Osx & Linux have not extension infected by malware software because the firs interest is to distibute malware software for Windows Platform because Windows have 92% of market share … therefore to strike the highest number of people on the world

If this 92% of worldwide market share was Osx extension with malware were for Osx ….the same for Linux ..

It looks like the current scans of the SoThink 4.0 addon may have been false positives. SoThink updated the addon to 4.2 because of false positive reports in May 2008. Did AMO verify that 4.0 actually contained a trojan?

I’m having problem with my yahoomail account, which gets blocked the scroll navigation with the mouse wheel since the moment I am composing an e-mail. The Yahoo help has suggested I verify the installed plug-ins in Firefox 3.6

I didn’t start using computers until I was into my mid-50’s and then I started using the ‘training-wheels version’ of WebTV; hence to a quite dated Imac. Only when I’d past 60 years of age, did I dare the ‘big leagues’ of a Windows 2000 Pro console. I insert this preamble only to lend background to what may appear a profound dimwittedness to the many who’ve been swimming much closer to the wave crest for a very long time.

I need guidance in the area of either ‘infected addons’ or more generally addons/plugins , the downloading of which lead to a Pandora’s Box of nasty and unintended consequences. —- Being a creative-type, I’m always in search of variety; standard forms break me out (much to my chagrin, I might add). So, over a year ago, I chose to spice up my home page with a florid motif full of mauves. It’d only been downloaded by a handful of people which added an aura of exclusivity to its appeal.

Only later did I learn (all suppositions on my part) that its use resulted in the shrinkage of my desktop area to no more than 85% of my available screen. Beyond this, I have only a broad black strip of no use to me at all. Add to this that the desktop ‘page’ itself cannot be moved in any direction. EXCEPT in the case of Internet Explorer.

I’ve crucified myself and vivisected the guts of this machine trying to undo this mess, only leaving myself more prone to need Xanax and once causing a total collapse of the machine’s function. I’d really be grateful for some light in this darkness. There are areas in which I seem quite bright. If only computing were one.

how do we protect our systems from downloading these add-ons, pop-ups always come to say” FIREFOX HAS DETECTED THAT THE FOLLOWING ADD-ONS ARE NOT INSTALLED, DOWNLOAD & INSTALL”
what do we do in this cause, how to know if my system is infected.

So many people use my systems, online-offline, how to protects it if am not at home to monitor them

Isn’t Mozilla trying to find where these files came from? Were they inserted by the plugin developers? Who are these developers? I would imagine that there would be some sort of liability for uploading trojans.

Good question, but will AMO follow up all detections to find the false positives? Or will they just pull it and almost two years of squeaky-clean updates based on the output from 18 of 40 scanners. It appears that’s what AMO may have done with the SoThink addon.

SoThink reported this issue on its AMO addon’s page and in their forums almost two years ago. AMO’s report smears SoThink’s reputation. We still don’t know that AMO’s report of actual malware is based on proper research. AMO and Mozilla still haven’t replied to my queries as to whether they actually verified this rather than just relying on scanners.

>list of antivirus programs known to detect the trojans found in the affected add-ons.

with no Kaspersky or Norton on the list, on the one hand, and AVG/Avast all-time false positives champions on the other hand (I wonder how come Antivir failed to get there), this whole issue looks like another fit of uneducated malware hysteria. No offence, folks…